Lucene search

K

[email protected]NVD:CVE-2019-18678

HistoryNov 26, 2019 - 5:15 p.m.

CVE-2019-18678

2019-11-2617:15:12

CWE-444

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

81.0%

An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.

Affected configurations

NVD

Node

squid-cachesquidRange3.0–3.5.28

OR

squid-cachesquidRange4.0–4.8

Node

canonicalubuntu_linuxMatch16.04lts

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch19.04

OR

canonicalubuntu_linuxMatch19.10

Node

debiandebian_linuxMatch8.0

OR

fedoraprojectfedoraMatch30

OR

fedoraprojectfedoraMatch31

References

www.squid-cache.org/Advisories/SQUID-2019_10.txt

www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch

bugzilla.suse.com/show_bug.cgi?id=1156323

github.com/squid-cache/squid/pull/445

lists.debian.org/debian-lts-announce/2019/12/msg00011.html

lists.debian.org/debian-lts-announce/2020/07/msg00009.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/

security.gentoo.org/glsa/202003-34

usn.ubuntu.com/4213-1/

www.debian.org/security/2020/dsa-4682

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

81.0%

Related for NVD:CVE-2019-18678

osv6 cve1 veracode1 ubuntucve2 redhatcve1 prion1 cvelist1 debiancve1 hackerone1 archlinux1 debian3 openvas16 nessus23 fedora2 amazon2 mageia1 gentoo1 ubuntu1 altlinux1 suse2 oraclelinux1 rocky1 almalinux1 redhat1 rosalinux1